Re: AW: AW: Crypto Randomly Not Getting Initialized

Tue, 13 Jun 2023 08:59:06 -0700 

Thomas,

On 6/13/2023 10:45 AM, Thomas Hoffmann (Speed4Trade GmbH) wrote:

Hello Jerry,



-----Ursprüngliche Nachricht-----
Von: Jerry Malcolm <techst...@malcolms.com>
Gesendet: Dienstag, 13. Juni 2023 17:35
An: users@tomcat.apache.org
Betreff: Re: AW: Crypto Randomly Not Getting Initialized

Hi Thomas,

On 6/13/2023 2:08 AM, Thomas Hoffmann (Speed4Trade GmbH) wrote:

Hello Jerry,


-----Ursprüngliche Nachricht-----
Von: Jerry Malcolm <techst...@malcolms.com>
Gesendet: Dienstag, 13. Juni 2023 08:50
An: users@tomcat.apache.org
Betreff: Crypto Randomly Not Getting Initialized

I am running Tomcat 9.0.56 in multiple AWS EC2 instances with Amazon
Linux2 in a production environment.  A couple of years ago, we
started getting weird errors that the "Crypto Mechanism" failed to
initialize. Through a lot of trial and error, and reasons I don't
quite remember, we put a 2-min delay in rc.local before starting
Tomcat, and the problem went away.  I'm not a Linux nor a crypto
guru.  But we traced it to some crypto file that we assumed was not
available until later in the Linux boot sequence.  Anyway, the 2
minute delay made it go away, for over two years.  Then all of a
sudden in the last day or so, it's back with a vengeance.  It fails
with the same crypto error from 2 years ago in about 50% of the EC2 boot

ups.  I tried bumping the wait to 3 min, and no change.

I need help.  Our whole production environment is unstable now since
every time an ASG brings a new instance online, I've got a 50-50
chance that tomcat is going to die (and the health check doesn't
catch it, but that's a different issue).

There are no errors in the Tomcat boot sequence logs.  But the first
time and every subsequent time I try to get a connection from the
DataSource pool, I get the stack dump shown below.

I figure it has to be a timing/race condition.  But I have no clue
what to do to fix it.  I'm baffled that it worked for two years, and
now fails every other time I start an instance.  And every instance
is running copies of the exact same Amazon Machine Image.  The same
EC2 will come up clean 50% of the time the next time it boots.

Can somebody with Tomcat/Crypto/Linux knowledge unravel what's

going

on here?  Thx

java.lang.ExceptionInInitializerError
           at java.base/javax.crypto.Cipher.getInstance(Cipher.java:540)
           at java.base/sun.security.ssl.JsseJce.getCipher(JsseJce.java:190)
           at
java.base/sun.security.ssl.SSLCipher.isTransformationAvailable(SSLCip
her.jav
a:509)
           at java.base/sun.security.ssl.SSLCipher.<init>(SSLCipher.java:498)
           at java.base/sun.security.ssl.SSLCipher.<clinit>(SSLCipher.java:81)
           at
java.base/sun.security.ssl.CipherSuite.<clinit>(CipherSuite.java:65)
           at
java.base/sun.security.ssl.SSLContextImpl.getApplicableSupportedCiphe
rSuit
es(SSLContextImpl.java:348)
           at
java.base/sun.security.ssl.SSLContextImpl$AbstractTLSContext.<clinit>
(SSLC
ontextImpl.java:580)
           at java.base/java.lang.Class.forName0(Native Method)
           at java.base/java.lang.Class.forName(Class.java:315)
...

           at


com.mysql.cj.jdbc.ConnectionImpl.connectOneTryOnly(ConnectionImpl.java:

948)
           at


com.mysql.cj.jdbc.ConnectionImpl.createNewIO(ConnectionImpl.java:818)

           at

com.mysql.cj.jdbc.ConnectionImpl.<init>(ConnectionImpl.java:448)

           at
com.mysql.cj.jdbc.ConnectionImpl.getInstance(ConnectionImpl.java:241)
           at


com.mysql.cj.jdbc.NonRegisteringDriver.connect(NonRegisteringDriver.java:

198)
           at


org.apache.tomcat.dbcp.dbcp2.DriverConnectionFactory.createConnection

(
DriverConnectionFactory.java:52)
           at


org.apache.tomcat.dbcp.dbcp2.PoolableConnectionFactory.makeObject(Po

olableConnectionFactory.java:415)
           at


org.apache.tomcat.dbcp.dbcp2.BasicDataSource.validateConnectionFactor

y
(BasicDataSource.java:111)
           at


org.apache.tomcat.dbcp.dbcp2.BasicDataSource.createPoolableConnection

Factory(BasicDataSource.java:649)
           at


org.apache.tomcat.dbcp.dbcp2.BasicDataSource.createDataSource(BasicDa

taSource.java:532)
           at


org.apache.tomcat.dbcp.dbcp2.BasicDataSource.getConnection(BasicDataS

ource.java:731)
           at jwm.db.DBData.getConnection(DBData.java:506)   //// my
call to get a db connection from connection pool ////

...

Caused by: java.lang.SecurityException: Can not initialize
cryptographic mechanism
           at
java.base/javax.crypto.JceSecurity.<clinit>(JceSecurity.java:120) ...
86 mo Caused by: java.lang.SecurityException: Can't read
cryptographic policy
directory: unlimited
           at


java.base/javax.crypto.JceSecurity.setupJurisdictionPolicies(JceSecurity.java:

326)
           at java.base/javax.crypto.JceSecurity$1.run(JceSecurity.java:111)
           at java.base/javax.crypto.JceSecurity$1.run(JceSecurity.java:108)
           at
java.base/java.security.AccessController.doPrivileged(Native
Method)
           at
java.base/javax.crypto.JceSecurity.<clinit>(JceSecurity.java:107)
           ... 86 more


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Could it be this issue?
https://github.com/docker-library/openjdk/issues/101

Maybe you can add information about the used jdk and whether you are

using containers.

Greetings,
Thomas

I'm running Java 11.0.16.  No Docker or other containers.  Just straight
Tomcat running standalone.  The github link refers to a Java 9 / Docker
issue.  I guess it could be related.  But I'm not sure due to different
environments, and my situation only fails half the time.  Thx

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org

Maybe you can compare the available ciphers during runtime:
https://stackoverflow.com/questions/9333504/how-can-i-list-the-available-cipher-algorithms
Print all ciphers in both environments and check if there are differences.

System properties are also worth comparing:
https://mkyong.com/java/how-to-list-all-system-properties-key-and-value-in-java/

Greetings! Thomas
There is only one environment.  I have the same image copied to all servers.  All servers are identical EC2 types.  On EC2 boot, about half of them throw the exception and the other half boot fine.  Then reboot everything, some of those that failed boot fine and some of the ones that worked failed.  Basically it's one environment that has a 50-50 chance of failing on a boot.  And this just started failing after two years of working fine with no (obvious) changes to TC, Liinux, or anything else.  My TC webapp code is changing.  But it doesn't seem like there would be anything a webapp could do to start this random failing (??) 




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to